Logout using POST

e-valuation · Apr 24, 2023 · 3c0338b · 3c0338b
1 parent dface33
commit 3c0338b
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 6 deletions.
diff --git a/evap/evaluation/templates/navbar.html b/evap/evaluation/templates/navbar.html
@@ -121,7 +121,10 @@
                     <a class="nav-link dropdown-toggle" href="#" id="navbarUserDropdownMenuLink" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"><span class="fas fa-user"></span> {{ user.full_name }}</a>
                     <div class="dropdown-menu dropdown-menu-end dropdown-menu-tight" aria-labelledby="navbarUserDropdownMenuLink">
                         <a class="dropdown-item" href="{% url 'evaluation:profile_edit' %}">{% trans 'Profile' %}</a>
-                        <a class="dropdown-item" href="{% url 'django-auth-logout' %}">{% trans 'Logout' %}</a>
+                        <form method="post" action="{% url 'django-auth-logout' %}" id="logout-form">
+                            {% csrf_token %}
+                            <button type="submit" class="dropdown-item">{% trans 'Logout' %}</button>
+                        </form>
                     </div>
                 </li>
             {% endif %}

diff --git a/evap/evaluation/tests/test_auth.py b/evap/evaluation/tests/test_auth.py
@@ -67,7 +67,7 @@ def test_login_key_valid_only_once(self):
         page = self.app.post(url_with_key).follow().follow()
         self.assertContains(page, "Logout")
 
-        page = self.app.get(reverse("django-auth-logout")).follow()
+        page = page.forms["logout-form"].submit().follow()
         self.assertNotContains(page, "Logout")
 
         page = self.app.get(url_with_key).follow()
@@ -162,7 +162,7 @@ def test_entering_staff_mode_after_logout_and_login(self):
         self.assertContains(page, "Logout")
 
         # log out user
-        page = self.app.get(reverse("django-auth-logout")).follow()
+        page = page.forms["logout-form"].submit().follow()
         self.assertNotContains(page, "Logout")
 
         # log user in again

diff --git a/evap/grades/templates/grades_upload_form.html b/evap/grades/templates/grades_upload_form.html
@@ -22,7 +22,7 @@ <h3 class="mb-3">
             {% blocktrans with course=course.name semester=semester.name %}Upload midterm grades for {{ course }} ({{ semester }}){% endblocktrans %}
         {% endif %}
     </h3>
-    <form method="POST" class="form-horizontal" enctype="multipart/form-data">
+    <form method="POST" class="form-horizontal" id="grades-upload-form" enctype="multipart/form-data">
         {% csrf_token %}
         <div class="card mb-3">
             <div class="card-body">

diff --git a/evap/grades/tests.py b/evap/grades/tests.py
@@ -242,7 +242,7 @@ def test_edit_grades(self) -> None:
         previous_modifying_user = self.grade_document.last_modified_user
         self.assertNotEqual(previous_modifying_user, self.grade_publisher)
         response = self.app.get(self.url, user=self.grade_publisher)
-        form = response.forms[3]
+        form = response.forms["grades-upload-form"]
         form["description_en"] = "Absolutely final grades"
         form["file"] = ("grades.txt", b"You did great!")
         form.submit()

diff --git a/evap/student/tests/test_views.py b/evap/student/tests/test_views.py
@@ -380,7 +380,9 @@ def test_user_logged_out(self):
         page = self.app.get(self.url, user=self.voting_user1, status=200)
         form = page.forms["student-vote-form"]
         self.fill_form(form)
-        page = self.app.get(reverse("django-auth-logout"), user=self.voting_user1, status=302)
+
+        page = page.forms["logout-form"].submit(status=302)
+
         response = form.submit(status=302)
         self.assertNotIn(SUCCESS_MAGIC_STRING, response)